Scope and purpose

A process hazards analysis is used to identify the safety functions necessary to reduce the risk of identified hazardous events. When a safety function is implemented in a safety instrumented system (SIS), it is referred to as a safety instrumented function (SIF). The risk reduction required from the SIF is related to one of four discrete safety integrity levels (SILs). The SIS, which executes one or more SIF, is designed and managed according to ANSI/ISA-61511, which establishes requirements necessary to claim a specified SIL.

A critical aspect of maintaining the SIL is the monitoring and management of the automation asset integrity (AAI) of the SIS equipment. Automation failures are often viewed in the process hazardous analysis as binary—either the equipment fails dangerously, allowing a hazardous event to propagate, or fails spuriously, causing a SIS to initiate its SIF. Today’s automation practices generally include diagnostics or other monitoring to identify degradation or “misoperation,” allowing equipment to be repaired or replaced prior to a functional failure. This technical report is an informative document providing guidance on establishing an effective AAI program that demonstrates through traceable and auditable documentation that the SIS and its equipment is inspected, tested, and maintained in a manner that ensures safe operation of the process.

This edition of ISA-TR84.00.03 provides considerations for establishing an AAI program for SIS; it focuses on how to plan and implement a comprehensive AAI program. This technical report does not provide complete details on how to safely or fully execute all AAI activities in an operating facility. Individuals who are assigned responsibility for AAI activities must determine what is necessary to maintain the safety integrity of a specific SIS.

The AAI program involves many activities that occur throughout the SIS lifecycle, but it predominantly focuses on the timely detection and correction of incipient/degraded conditions and complete failures to ensure that the SIS operates as specified when required. Rigorous inspection and thorough proof testing are needed for all SIS equipment whether existing or new. While the frequency of these activities may vary due to the required SIL, the intent and purpose of inspection and proof testing are not affected by the SIL. This technical report provides detailed guidance and examples to support user-specific work processes as part of an overall AAI program.

This technical report provides guidance and examples on the following subjects :

• transferring project documentation;

• selecting the maintenance strategy;

• developing AAI maintenance procedures;

• collecting and retaining maintenance documentation;

• defining personnel roles and responsibilities;

• ensuring maintenance personnel skills and training;

• planning for verification and validation;

• developing a verification and validation plan;

• developing factory acceptance test , loop commissioning, site acceptance test procedures;

• defining a management system and performance metrics;

• implementing configuration management and management of change;

• performing an audit to determine AAI program compliance.

This technical report refers to other ISA publications. This technical report does not repeat or replicate the content of these publications. References are provided when it is felt that the reader should pay particular attention to the publication’s more detailed guidance and requirements. For this technical report, the following are considered foundational publications:

• ISA-TR91.00.02-2003, Criticality Classification Guideline for Instrumentation

• ISA-TR108.1-2015, Intelligent Device Management Part 1: Concepts and Terminology

• ANSI/ISA-18.2-2016, Management of Alarm Systems for the Process Industries

• ISA-RP105.00.01-2017, Management of a Calibration Program for Industrial Automation and Control Systems

• ISA-TR96.05.01-2017, Partial Stroke Testing of Automated Valves

Scope and purpose

A process hazards analysis is used to identify the safety functions necessary to reduce the risk of identified hazardous events. When a safety function is implemented in a safety instrumented system (SIS), the risk reduction required from the safety instrumented function (SIF) is related to one of four discrete safety integrity levels (SIL). The function and system are designed and managed according to ANSI/ISA-84.00.01, which establishes requirements necessary to claim the specified SIL for the SIS throughout its life.

A critical aspect of maintaining the SIL is the implementation of a mechanical integrity (MI) program that monitors the installed performance of the SIS equipment and takes corrective action when the performance does not meet the requirements. This technical report is an informative document providing guidance on establishing an effective MI program that demonstrates through traceable and auditable documentation that the SIS and its equipment is maintained in the “as good as new” condition

This edition of ISA-TR84.00.03 provides considerations for establishing an MI program for SIS; it focuses on how to plan and implement a comprehensive MI program rather than including specific test procedures as in the previous edition. This technical report does not provide complete details on how to safely or fully execute all MI activities in an operating facility. Individuals who are assigned responsibility for MI activities must determine what is necessary to maintain the safety integrity of a specific SIS.

The MI program involves many activities that occur throughout the SIS lifecycle, but it predominantly focuses on the timely detection and correction of incipient/degraded conditions and complete failures to ensure that the SIS operates as specified when required. Rigorous inspection and complete proof testing is required for all SIS equipment whether existing or new. While the frequency of these activities may vary due to the required SIL, the purpose and goal of inspection and proof testing are not affected by the SIL.

Inspection and proof testing is required to:

• meet regulatory requirements

• meet ANSI/ISA-84.00.01 requirements

• meet equipment manufacturer requirements (e.g., safety manual)

• demonstrate through witnessed test and preventive maintenance records that the equipment is being maintained in the “as good as new” condition

• detect and correct unrevealed failures

• verify that the MI program and test interval are sufficient to ensure functional and integrity requirements are met for the equipment life

• monitor equipment for degradation mechanisms (incipient and degraded) which may compromise future performance

• identify when equipment has reached wear-out and requires replacement

• provide data and information to facilitate the evaluation of MI program success and to support continuous improvement

The technical report addresses:

• the identification of personnel roles and responsibilities when developing an MI plan,

• important considerations in establishing an effective MI program, and

• detailed guidance and examples to support user -specific work processes as part of an overall MI program.

Testing considerations of SIF should be included in most of the Safety Lifecycle steps described in ANSI/ISA-84.01-1996. Testing frequency is a part of the determination of Safety Integrity Level (SIL) for the SIF. Provision for conducting tests must be included in the selection of equipment and design of the SIF and the Pre-Startup Acceptance Test (PSAT) is an integral part of ensuring the SIF will provide the risk reduction necessary. When modifications are made to SIF, testing can validate that appropriate SIF action will still take place.

This technical report is an informative document providing guidance on performing testing of SIF components and systems that will help achieve full safety benefits of the SIF in the most cost-effective way. Both manual and automated techniques are presented for off-line and on-line testing of SIF and the benefits of each technique described. Existing techniques and proposed new techniques will be described. Utilizing the techniques described in conjunction with an overall safety management program will allow users to meet the testing requirements of ANSI/ISA-84.01-1996 and dIEC 61511. Techniques are described for testing all elements of the SIF including field sensors, final control elements, logic solvers (signal conversion modules included), Human Machine Interface (HMI), communication links with other systems, user application software, and other required auxiliaries such as power. Suggested inspection techniques for regular observation of equipment and components to detect potential problems are also presented.

The techniques described can also be used for testing burner management systems in conjunction with the NFPA 85 code.

These techniques are illustrated by the examples given in Annexes A-MM. Each Annex is an example of how one company might apply a given technique, and is not intended to represent a consensus solution within the process industry.

Purpose

Systematic testing of each Safety Instrumented Function (SIF) is required to ensure that dangerous unrevealed failures have not occurred that could render the SIF unable to perform the function for which it was provided. This testing ensures that all operational functions of the SIF are evaluated on a periodic schedule in accordance with the safety integrity requirement of the SIF. Many processes have operating cycles that are longer than the period between testing required achieving the safety integrity. Thus performing the required off-line testing necessitates shutting down the process. This is costly and puts unnecessary strain on equipment and necessitates going through shutdown and startup (which are usually the most dangerous periods of a process lifecycle) again. Therefore, the ability to perform testing while the process remains in operation is desirable.

There are also different ideas on what constitutes an acceptable test for various components of SIF. Whether the test is performed off-line, with the process down, or on-line with the process in operation, there are methods for performing the testing that ensure a high degree of detection of failures that might have occurred. Guidance is needed in the selection of these testing methods for both off-line and on-line situations.

There is also benefit in performing inspection activities on SIS equipment during normal operation of the process to detect any potential problem creating situations that might be developing. Guidance in what to look for, how often to inspect, and what to do when a condition is observed that could lead to a failure will enhance the safety integrity of the SIF.